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(54) Method and apparatus for secure anonymous message transfer and electronic voting 



(57) A number-theoretic based algorithm provides 
for secure anonyrrraus message transfer and electronic 
voting. A voter or sender may cast an encrypted vote or 
message that is processed through n centers in a man- 



ner which prevents fraud and authenticates the votes. 
Any interested party call verify that each vote has been 
properly counted. The invention can be realized by cur- 
rent-generation personal computers with access to an 
electronic bulletin board. 
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Description 

The present invention relates to secure anonymous message transfer and specifically, to number-theoretic m th- 
ods and apparatus for secure electronic voting. 
s Secure electronic voting is one of tbe nrK>st important applications of secure multi-party computation. Yet despite 

extensive work on this subject, no complete solution has been found in either the theoretical or practical domains. Even 
the general solutions to secure mutti-^arty protocols fail to exhibit all of the desired security properties of elections. 

A number of n\ore practical voting protocols have been proposed, with widely differing security properties. Schemes 
based on anonynnous channels/mixers have become very popular due to their superior efficiency and the arbitrary 
10 nature of the votes that are allowed. 

Mix-net anonymous channels were first proposed by D. Chaum in an article entitled 'Untraceable Electronic Mail, 
Retum Address, and Digital Pseudonynns' in Communication of the ACM, ACM, 1 981 , pp 84 to 88. Subsequently, 
many voting schemes have been proposed based on this basic technique as in an article by A. Fujioka et al, entitled 
■A Practical Secret Voting Scheme for Large Scale Elections," in Advances in Cryptology - Auscrypt '92, 1992, pp. 244 
15 to 251 , and in an article by 0. Park et al, entitled "All/Nothing Election Scheme and Anonymous Channel" in Advances 
in Cryptology, Eurocrypt '93, 1993, pp. 248 to 259. 

These schemes are efficient, but have the following shortcomings. The simplest of these schemes does not allow 
a voter to securely protest the omission of a vote without allowing a malicraus voter to bkx:k the election. After the 
electbn, each voter is typically responsible for checking that their vote was con-ectly tallied. There is usually no way 
20 for an outside observer to later verify that the election was properly perfomned. Furthermore, some anonynrK)us channels 
are vulnerable to an attack as described in an article by B. Pfitzmann entitled "Breaking an efficient anonymous channel" 
In Eurocrypt '94 Proceedings, 1994, pp. 339 to 348. 

In accordance with the teachings of the present invention, a secure anonynnous channel and a voting scheme are 
described in which an outside obsen/er can verify that the electbn was Indeed performed correctly. Therefore omission 
25 of a vote can be detected by anyone, without fear of a malicious voter bkjcking the electbn. Furthermore, the present 
Invention also helps thwart an attack proposed by B. Pfitzmann, supra. 

A secure anonymous channel is described where multiple messages to a same destination are tranferred securely 
though multiple mixing centers. If the messages to be sent are votes where the destination is a vote-counting center 
and the first mixing center accepts messages of vaM voters, then this scheme becomes a secure voting scheme. The 
30 present invention generally refers to an anonymous message transfer scheme where secure electronic voting Is a 
practical application of the more general invention. 

In the scheme, encrypted messages from the senders are successively processed by the mixing centers until the 
last center outputs a randomly, untraceably ordered set of unencrypted messages. That is, the encryptions used for 
the anonymous channel have been stripped off or decrypted. At a high level, the senders first post their encrypted 
3S messages, mixing center / processes each message posted by mixing center / -1 (or the senders, when / = 1) and 
posts the results In permuted order. 

A three-step procedure is folbwed by each mixing center /. The first step is posting decrypted results of each input 
message. The second step is mixing the results and posting them in permuted order. The third step is proving that the 
centers correctly executed the first and second steps. The Flat-Shamir technique as discussed in an article entitled 
40 "How to Prove Yourself: Practical Solutions to Identification and signature problems** In Advances In Cryptology - Crypto 
*86, Springer- Verlag, 1986, pp. 186 to 199, can be used to make the above proofs non-interactive. 

At the conclusion of the three step process or at a later time, any interested party can check the resulting proofs 
to confirm that the messages have all been handled correctly. With this method for achieving universal verifiability there 
is no need for adding redundancy to the messages. 
45 Also, the Invention results in a method which reduces the amount of communication and computation necessary 
to generate, transmit and check the proofs by combining multiple proofs into a single proof. 

The following description and drawings disclose, by means of an example, the inventbn which is characterised in 
the appended claims, whose terms determine the extent of the protection confen-ed hereby 
In the drawings:- 

so 

Figure 1 1s a schematic illustnatbn of a preferred embodiment for practicing the present Inventbn; 
Figure 2 Is a schematic illustratbn of message flow, 

Figure 3 is a schematic illustratk)n of a channel checker; and Figure 4 is a schematic illustration of a message 
constructor. 

55 

An anonymous message transfer scheme illustrating the invention will now be described with reference to Figures 
1 and 2. In accordance with the scheme, encrypted messages from senders 10(1), 10(2), 10(3)...10(1) are successively 
processed by the mixing centers 11 (1), 11 (2), 11 (3)... 11 (n) until the last center provides as its output a randomly, un- 
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traceabty ordered set of unencrypted messages. Vbters cast their ballot by means of a sender which comprises a 
computing means, preferably a personal computer but ft may also be a workstation or the like. Similarly, each mixing 
center comprises a computing means, preferably a personal computer, a workstation or the like. The senders first post 
their encrypted messages preferably on an electronic bulletin board or other publicly available messaging means. 
Mixing center 11 (i) processes each message posted by the previous mixing center 11 (/ - 1) (or the senders 10, when 
/ = 1 ) and posts the results in permuted order until the last mixing center 11 (n) posts the result or tally of the voting. 
Having set forth an oven/iew of the scheme, the detail of how a message m is initially encrypted by a sender and how 
a mixing center 11(/) processes each message will now be described In detail. 

Initially, entities participating in the voting, i.e. the senders and the mixing centers, need to agree on using prime 
numbers p and q where the folbwing relationships exist for some integer k 

The value g' is a generator mod pand g is equal to 

g=(g')''n\ocip. 

Assume there are n mixing centers. Each mixing center 11 (/) generates a Integer Xy G Z* and publishes 

yy=/'modp 

as its publb key and keeps x^as Its secret key. For the purpose of simplification, will represent the product y,^^yf^2 — 
y„andfcv^=1. 

The message from a sender 10 is m. The sender generates a random number r^^ and posts 

(G,, M^) = (g mod p, (w^) " m mod p) 

for use by mixing center 11(1). 

For ease of explanation, the three steps of decrypt, shuffle and prove of the centers will be described in this order. 
However, implementation does not necessarily require the steps to be performed in this order. 

In response to Input (G^ A^), mixing center 11 1 .....n-l ) generates a random number (independently for each 
message-pair) and calculates the following values using the secret key xj. 

= modp 



35 



40 



H.^i = G/modp 



= wl^'^'"^^* ' rn mod p 



and posts (H^-^) con-esponding to {G^M^, The value (0^^^ , M^^) is posted, permuted with the other processed messages 
for use by mixing center 11 (h-1). 

The mixing center 11(i) executes a prove-DECRYPT algorithm for inputs (G^ g, H^^). The description of the 
algorithm prove-DECRYPT is given in bebw. Execution of this algorithm proves that mixing center 11 (/) generated H^^ 
45 correctly. Mixing center 11 (/) then executes a prove-SHUFFLE algorithm, a description of which is given betow. Exe- 
cution of this algorithm proves that the mixing center shuffled honestly. 
Mixing center 11 (n) recovers In from Input (G^ A^) by computing: 

m = MJ mod p. 

so The mixing center 1 1 (n) then executes the prove-DECRYPT algorithm for inputs (Gf^g^y^Mf/my 

The algorithms prove-DECRYPT and prove-SHUFFLE will now be described. The algorithms involve a prover and 
a verifier The verifier may be a random beacon or an output of a suitable hash f unctbn, as is described bebw. 

In order to describe the algorithms prove-DECRYPT, the first phase of the protocol is abstracted as follows. Given 
G, the first step comprises performing decryption in order to generate mod p. The proof comprises, given (G, 
55 g,y=g^ mod p, H), showing that H is generated in this manner from G. The algorithm is as folbws: 
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prove-DECRYPT 

1. The prover uniformly chooses rG Zp.^. 

Let y'= g'^mod p 
G'= G^'modp. 

The prover sends (/, G). 

2a. With probability 14, the verifier asks the prover to reveal r The verifier checks that /and G'are consistent with r 

2b. With probability 1^, the verifier asks the prover to reveal f-r-x. The verifier checks that 

y*- -ymoA pand 

G'= H. G'''rTKxJp. 

end of algorithm 

In order to describe the algorithm prove-SHUFFLE, the second step is abstracted as follows. 
Given constants g, ivand 

the second step comprises generating r^, r2,... and a permutatbn n and generating a set of pairs 

B=( **'t*>'*' ' ^'T^ ^ \ 
\ *ir(i)^^' " w^'i^^ mod p J 

Here aj^^ refers to G's and aj^* refers to M/H's in the first step. The proof comprises, given (A, B, g, iv), showing that B 
could be generated in this manner from A The algorithm is as follows: 

prove-SHUFFLE 

1 . The prover uniformly chooses t G Zp.^ , random permutation X and 

c = ( *'^<*>*'^ ' P \ 

\ • luNo mod p j ' 

The prover sends C. 

2a. With probability 1^, the verifier asks the prover to reveal X and The verifier checks that C is consistent with 
A X, ti in that way. 

2b. With probability the verifier asks the prover to reveal A,' = Ao ir^ and t)= tf- r'j. The verifier checks that C 
can be generated from 6 in the folbwing way: 

po,fl=(|:;), 

c=f H'>''i''"""°'''U«'* 

\ 6a'(,)* ' • w mod p J 

End of algorithm 

Each execution of the algorithms prove-DECRYPT or prove-SHUFFLE finds a cheating prover with probability Mt. 
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In order to raise this probability closer to 1 . independent executions are necessary. 

While these algorithms are given in terms of a verifier, a more efficient solution is to use the Fiat-Shamir method 
of eliminating interaction. First, the protocol is run many times (on the order of 40 or 60) In order to make the probability 
of withstanding alt of the challenges exceedingly small. Then the verifier is replaced by a suitably 'random looking* 
5 hash function which generates the challenges from the prover's posting in Step 1 of the algorithms prove-DECRYPT 
or prove-SHUFFLE. This heuristic of Fiat-Shamir method is described in an article entitled "How to Prove Yours If: 
Practical solutions to identification and signature problems' in Advances in Cryptology- Crypto '86, Springer-Verlag, 
1 986, pp. 1 86 to 1 99. This way the prcver can send all the messages to the verifier in a single message. This message 
is posted for public access. 

10 The bulk of the computatbn and communication required to execute algorithm prove-DECRYPT for each of the 

messages from previous centers can reduced. By combining nnany of the proofs into a single proof, the centers can 
efficiently prove they decrpyted all of the inputs correctly. 

It is necessary to show that the foltowing equatbn hokJs for each pair {QO), hfi). 

The above equatbns are reduced to the following single equatbn using randomly chosen coefficients c^: 

lliH^^Y' ^ UiiG^^Y')' mod p 

20 » 

A center can execute the above protocol where G = nXG^E'/? and H = nj;(H®)a Advantage is made of the fact that 
if one or more of the original equations is wrong, then if the coefficients are chosen randomly, the final equatk)n will 
also be wrong with high probability. These random coefficients must not be chosen by the proven but should be provided 
by a verifier, beacon or as the output of a suitable hash function. 

25 Similarly, as a variatbn of the above scheme, the following two round anonymous channel can be constructed. In 

the two round anonynrious channel, each mixing center 11 (/), on inputs (GpM) first shuffles the inputs to (G( p^mod p. 
Ml • i/j mod p) and passes the shuffled values in a random order to the next center. Each center executes the prove- 
SHUFFLE algorithm (with some constants fixed to this scheme) to prove the correctness of the information. When the 
shuffled messages are finally provided to the mixing center 11 (n), mixing center 11 (n) publishes G^^ and ^f^^ for 

30 each message. Then each mixing center 11(^ publishes H/= (f' . The mixing center 11(/) executes the prove-DE- 
CRYPT algorithm with input (G^v Hj) to prove the correctness! The message m can be recovered by M^^/U Hf. 

In order to avoid vote-duplication attack, each sender may sign and encrypt the message to be posted. That is, 
the sender may sign the output of a message to be posted. By signing the output of a message constructor (described 
below) and then encrypting the message using the public key of the first center 11 (1), a malick>us sender cannot copy 

35 another sender's message, since the copied message would not have the con'ect signature. Moreover, the message 
is encrypted in a manner such that the message cannot be decrypted, nor can a different signature be affixed to the 
encrypted message. 

Altematively. the first center may conceal all of the message from the senders until each sender has posted a note 
or message. 

40 In order to prevent the first center 11 (I) and a nnalicbus sender from conspiring, it is possible to use a conventional 

secure commitment scheme such as that discussed in an artk^le by M. Naor, entitled 'Bit commitment using pseudo- 
randomness," in Advances in Cryptotogy - CRYPTO '89, 1989, pp. 128 to 136. 

Having described a preferred method of practicing the present invention, preferred embodiments useful for prac- . 
ticing the invention will now be described. 

45 Figure 1 schematbally Illustrates a preferred embodiment for practicing the invention. The senders 10(1), 10(2), 

10(3),. ..10(y) and mixing centers 11(1), 11(2), 11(3).. .11(n) use personal computers or worttstatbns connected to a 
conventional electronic bulletin board 12. All parties (senders, verifiers, centers and the tike) to the message transfer 
process interact by posting messages to and receiving messages from the bulletin board. Senders can also serve as 
centers. The personal computers either contain software to perform the method described atx)ve or altematively contain 

so in hardware or software embodiments of the elements described in Figure 2. 

Figure 2 illustrates how messages are anonymously transferred. Each message constructor 14(1), 14(2), 14(3)... 
14(0 of message sender 10(1), 10(2). 10(3). . .10(/) generates an encrypted message 16(1), 16(2), 16(3),...16(/), using 
constants 15 as described at)ove. The encrypted messages 16 are posted to the electronic bulletin board 12. Then 
each mixing center 1 1 (/) reads as its input, message 1 7(^1 ) from the bulletin board 1 2. (mixing center 11(1) reads the 

55 encrypted message 16.) The mixing center then foltows the sequence process decrypt 1 9, shuffle 20, prove-DECRYPT 
21 , prove-SHUFFLE 22 using its secret key 23(/) as described above. The processed messages and proofs 17(1) are 
posted to the electronic bulletin board. (Mixing center 11(n) posts decryted messages 18.) In the case of electronic 
voting, mixing center 11 (/}) will post a tally of the votes 
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Figure 3 schematically illustrates a channel checker 24. The channel checker 24 receives constants 1 5, encrypted 
messages 16, a set of processed messages and proofs 17(1). 17(2)... and decrypted messages 18 and determines 
whether the message transfer was processed as specified above, thus indicating a valid or invalid channel. That is, 
the channel checker includes a verifier for th proofs given by the mixing centers. 

5 Figure 4 illustrates a message constructor 14. The message constructor 14 generates encrypted message 16 for 

the message 25 using constants 15 as described above. 

While there has been described and illustrated a prefen-ed method and apparatus of secure anonymous message 
transfer and electronic voting, it will be apparent to those skilled in the art that variations and modifications thereof, as 
well as other embodiments, are possible without deviating from the broad teaching herein and that the scope of pro- 

10 tectbn sought is defined solely by the scope of the claims appended hereto. 



Clainrts 

15 1 . A method of secure anonymous message transfer from a plurality of senders by use of a plurality of mixing centers 
comprising the steps of: 

(a) choosing constants which are posted for senders 8^82;.. .,Sj and mixing centers, CpCg^-.-Cf^ 

20 (b) each sender Sj^ constructing an encrypted message which is posted; 

(c) a first mixing center processing the posted messages from each sender Sj^ whk^h processed messages 
are then posted for use by the next center; 

25 (d) each mixing center C2 through C^^ sequentially processing the processed messages from the prevbus 

center,, which sequentially processed messages are then posted for use by the next center; 

(e) the last mixing center C„ processing messages from the previous center C^^ and posting the result; 

30 (f) each mixing center proving the validity of its processing, which proof is posted; and 

(g) channel checker verifying correctness of the execution from posted messages when necessary 

2. A method of secure anonymous message transfer as set forth in claim 1 , where steps (c),(d) and (e) further com- 
35 prises: 

(h) providing each mixing center with a secret key; and 

(i) said processing including using the secret key of a respective mixing center 

40 

3. A method of secure anonymous message transfer as set forth in claim 2, where said proving comprises executing 
algorithm prove-DECRYPT. 

4. A method of secure anonymous message transfer as set forth in claim 3, where said proving further comprises 
45 executing algorithm prove-SHUFFLE. 

5. A method of secure anonymous message transfer as set forth in claim 3. where said executing algorithm prove- 
DECRYPT is executed for multiple messages together. 

50 6. A method of secure anonymous message transfer as set forth in claim 2, where said proving comprises applying 
the Fiat-Shamir method. 

7. A method of secure anonymous message transfer as set forth in claim 2, further comprising Q) shuffling the mes- 
sages. 

55 

8. A method of secure anonymous niessage transfer as set forth in claim 1 , where steps (c), (d), and (e) further 
comprises shuffling the messages. 
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9. A method of secure anonymous message transfer as set forth in claim 8, where after the last mixing center C„ 
posts the result, each mixing center executes algorithm prove-DECRYPT using the result. 

10. A method of secure anonymous niessage transfer as set forth in claim 8, further comprising providing each mixing 
s center with a secret key and where after the last mixing center C„ posts the result, each mixing center performs 

said processing using its respective secret key and the result. 

11. A method of secure anonymous message transfer as set forth in claim 8, where said proving comprises executing 
algorithm prove-SHUFFLE. 

10 

12. A method of secure anonymous message transfer as set forth in claim 11 , where said proving comprises applying 
the Fiat-Shamir method. 

13. A method of secure anonymous message transfer as set forth in claim 8, where said proving comprises applying 
15 the Fiat-Shamir method. 

14. A method of secure anonymous message transfer as set forth in claim 1 , where saki proving comprises applying 
the Fiat-Shamir method. 

20 15. A method of secure anonymous message transfer as set forth in claim 1 , where in step (b) each sender Sj^ posts 
its encrypted message substantially simultaneously. 

16. A method of secure anonymous message transfer as set forth in claim 1 , where in step (b) each sender Sj^ con- 
structs its encrypted niessage using a key of sakj first mixing center and sakJ encrypted message includes a 

25 signature of a respective sender Sj^ 

17. A method of secure anonymous message transfer as set forth in claim 1, where in step (b) each sender Sj^con- 
staicts an encrypted message whbh is publicly revealed after said first mixing center receives a respective 
encrypted message. 

30 

18. A method of secure anonymous message transfer as set forth in claim 1 , said first mixing center processing 
only legitimate messages and processing only one message from each sender 

1 9. A method of secure anonymous message transfer as set forth in claim 1 8, where said senders are voters and sakJ 
35 messages are votes. 

20. A method of secure anonymous message transfer as set forth in claim 1 9, where said processing of said last 
mixing center C„ comprises computing a tally. 

40 21 . An apparatus for secure anonymous message transfer comprising: 

a bulletin board having constants; 

a plurality of senders, 5^. S^. . .,S^. each sender Sj^ constructing an encrypted message using the constants 
45 and posting said encrypted message to saki bulletin board; 

a plurality of mixing centers, C^. C2. .... a first mixing center processing the posted messages from 
each sender using the constants and posting a processed message to said bulletin board for use by the next 
mixing center, each mixing center C2 through C^^ sequentially processing the processed message from the 
50 prevbus mixing center using the constants and posting a further processed message to said bulletin board 

for use by the next mixing center, the last mixing center C„ processing messages from the prevbus center 
using the constants and posting the result on sakJ bulletin board; 

means associated with each respective mixing center for proving the valklity of the processing of the respective 
55 mixing center, which proof is posted on sakj bulletin board; and 

channel checking means for verifying the correctness of execution from posted messages. 
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22. An apparatus for anonymous message transfer as set forth in claim 21 , further comprising secret key means 
associated with each respective mixing center for providing a secret key to said respective mixing center for 
processing messages. 

s 23. An apparatus for anonymous message transfer as set forth in claim 22, where sard mixing center processes mes- 
sages by executing algorithm prove-DECRYPT. 

24. An apparatus for anonymous message transfer as set forth In claim 23, where each said means associated with 
each respective mixing center executes algorithm prove-DECRYPT. 

10 

25. An apparatus for anonymous message transfer as set forth in claim 24. where each means associated with each 
respective mixing center executes algorithm prove-DECRYPT for multiple messages. 

26. An apparatus for anonynrraus message transfer as set forth in claim 21 , where sakJ mixing center processes mes- 
15 sages by shuffling messages. 

27. An apparatus for anonymous message transfer as set forth in claim 26, where said mixing centers process mes- 
sages by executing algorithm prove-SHUFFLE. 

20 28. An apparatus for anonymous message transfer as set forth in claim 26, where each said means associated with 
each respective mixing center executes algorithm prove-SHUFFLE. 

29. An apparatus for anonymous message transfer as set forth in claim 21 , where each sender Sf^ posts its encrypted 
message to said bulletin board substantially simultaneously. 

25 

30. An apparatus for anonymous message transfer as set forth in claim 22. where each sender Sj^ constructs its 
encrypted message using said secret key of said first mixing center C^ and including a signature of the respective 
sender S^^. 

30 31 . An apparatus for anonymous message transfer as set forth in claim 21 , where each sender constructs an encrypted 
message whk;h is publicly revealed after said first mixing center receives a respective encrypted message. 

32. An apparatus for anonymous message transfer as set forth in claim 21 , said first mixing center C^ processing only 
legitimate messages and processing only one message from each sender. 

35 

33. An apparatus for anonymous message transfer as set forth in claim 32, where said senders are voters and said 
messages are votes. 

34. An apparatus for anonymous message transfer as set forth in claim 33, where said result comprises a tally 

40 
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